The Spamhaus Exploits Blocklist (XBL) is a comprehensive blocklist that is updated in near real-time

XBL lists the IP addresses of devices that are infected with malware, worms, and Trojans; third party exploits, such as open proxies; or devices controlled by botnets. The constantly updated list is designed to protect networks from malware and spam by preventing mailservers and routers from accepting connections from compromised computing devices.

Mailservers can be configured to block connections from IPs that are listed on the XBL. Routers can also be configured to prevent XBL-listed computers from accessing their networks. By blocking connections from compromised computers, the Spamhaus XBL helps to reduce the distribution of malware and spam and can be used to mitigate DDoS attacks.

Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL

XBL is the Spamhaus brand name for its Composite Block List (CBL). The CBL team uses automated tools to observe SMTP connections to a vast number of mailservers and spam traps. Any IP address that exhibits behaviour consistent with malware infection and botnet command and control activity is added to the XBL.

This blocklist comprises individual IP addresses of computers that have been observed to be involved in sending malicious email, rather than IP address ranges or networks.

The XBL only lists IP addresses of computing devices that attempt to send malicious spam. IP addresses that are not used to send email will not be included in the XBL, even if they are involved in other malicious activity.

IP addresses can be quickly removed from the XBL once malware has been removed from individual devices and the XBL listings automatically expire after 72 hours.

The mailserver DNSBL feature is configured to query XBL.spamhaus.org whenever another IP address attempts to deliver email to it. System administrators can configure the mailserver to perform one of the following tasks whenever a connection is requested from an IP address listed in the XBL:

Refuse the connection and reject delivery of the email message

Accept the connection, but save the email in a system spam folder

Accept the connection but tag the email as **SPAM** and deliver it to the recipient, to enable them to decide whether the message is legitimate (a false positive)

Accept the connection, but silently drop the email message

Configure the mailserver to delay transmission of emails after a certain number of messages have been received, to combat spammers sending bulk emails: a practice known as ‘tar pitting.’ For example, 10,000 emails that have a 2 second delay added for every 20 emails sent would be subject to a 5 hour delay.

Follow the policy set by the systems administrator

How to benefit from XBL

Spamhaus Technology subscribers with more than 5,000 users can access near real-time XBL updates via rsync